podman

1
package seccomp
2

3
import (
4
	"fmt"
5
	"sort"
6
)
7

8
// ContainerImageLabel is the key of the image annotation embedding a seccomp
9
// profile.
10
const ContainerImageLabel = "io.containers.seccomp.profile"
11

12
// Policy denotes a seccomp policy.
13
type Policy int
14

15
const (
16
	// PolicyDefault - if set use SecurityConfig.SeccompProfilePath,
17
	// otherwise use the default profile.  The SeccompProfilePath might be
18
	// explicitly set by the user.
19
	PolicyDefault Policy = iota
20
	// PolicyImage - if set use SecurityConfig.SeccompProfileFromImage,
21
	// otherwise follow SeccompPolicyDefault.
22
	PolicyImage
23
)
24

25
// Map for easy lookups of supported policies.
26
var supportedPolicies = map[string]Policy{
27
	"":        PolicyDefault,
28
	"default": PolicyDefault,
29
	"image":   PolicyImage,
30
}
31

32
// LookupPolicy looks up the corresponding Policy for the specified
33
// string. If none is found, an errors is returned including the list of
34
// supported policies.
35
//
36
// Note that an empty string resolved to SeccompPolicyDefault.
37
func LookupPolicy(s string) (Policy, error) {
38
	policy, exists := supportedPolicies[s]
39
	if exists {
40
		return policy, nil
41
	}
42

43
	// Sort the keys first as maps are non-deterministic.
44
	keys := []string{}
45
	for k := range supportedPolicies {
46
		if k != "" {
47
			keys = append(keys, k)
48
		}
49
	}
50
	sort.Strings(keys)
51

52
	return -1, fmt.Errorf("invalid seccomp policy %q: valid policies are %+q", s, keys)
53
}
54